Monday, 30 September 2019

Check AWS S3 encryption from CLI

Check AWS S3 encryption from CLI

There different ways to encryption AWS S3 from CLI. The secret is from AWS CLI, you can leverage the functions normally exposed by the AWS REST APIs.
  • Use put-bucket-encryption

This would setup the default encryption for S3 bucket,
$ aws s3api put-bucket-encryption --bucket <Bucket Name> --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }
  ]
}'
To check the default encryption setup, use the following command:
$ aws s3api get-bucket-encryption --bucket withsin2
{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "AES256"
                }
            }
        ]
    }
}
  • Use copy-object

For existing buckets or objects in the bucket, use copy-object to encrypt.
$ aws s3api copy-object --copy-source <Bucket Name>/<Object Name> --key <Key Name> --bucket <Bucket Name> --server-side-encryption aws:kms
Use the following command to check whether the object is encrypted or not.
aws s3api head-object --bucket <Bucket Name> --key <Key Name>